WWW.DISSERTATION.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Dissertations, online materials
 
<< HOME
CONTACTS



Pages:   || 2 | 3 | 4 | 5 |   ...   | 9 |

«Framework for Role-Based Delegation Models by Ezedin S. Barka A Dissertation Submitted to the Graduate Faculty of George Mason University in Partial ...»

-- [ Page 1 ] --

Framework for Role-Based Delegation Models

by

Ezedin S. Barka

A Dissertation

Submitted to

the Graduate Faculty

of

George Mason University

in Partial Fulfillment of

the Requirements for the Degree

of

Doctor of Philosophy

Information Technology

Committee:

___________________________ Dr. Ravi Sandhu, Dissertation Director

___________________________ Dr. Edgar Sibley

___________________________ Dr. David Rine

___________________________ Dr. Xiaoyang Wang ___________________________ Dr. Stephen G. Nash, Associate Dean of Graduate Studies and Research ___________________________ Dr. Lloyd J. Griffith, Dean, School of Information Technology and Engineering Date: _______________________ Summer Semester 2002 George Mason University Fairfax, Virginia

FRAMEWORK FOR ROLE-BASED DELEGATION

MODELS A Dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy at George Mason University.

By Ezedin S. Barka BS, University of Indiana, Bloomington, IN, May 1983 MS, University of Maryland, College Park, MD, December 1991 Director: Dr. Ravi S. Sandhu, Professor Information and Software Engineering Summer 2002 George Mason University Fairfax, Virginia ii Copyright 2002 by Ezedin S. Barka All Rights Reserved iii DEDICATION “All Praises due to Allah, the graceful, and the most sustainer” I would like to dedicate this to my parents for bringing me to this world and for their continuous prayers and encouragement, to my wife Hadia for her patient and unlimited support, to my two sons Rabie and Rauf for bringing happiness to my life.

Without their prayers and love, this work could not have been completed.

iv

ACKNOWLEDGEMENTS

I would like to sincerely express my gratitude and appreciation to my dissertation director, Professor Ravi Sandhu, who has been so graceful all the way and has provided valuable guidance and encouragement during my doctoral study.

Also, I would like to thank the members of my committee, Professor Edger Sibley, Professor David Rine, and Professor Xiaoyang Wang. I am thankful for their valuable comments and suggestions on my dissertation.

I am particularly thankful to my parents, to my wife Hadia, and to my two sons for their prayers and patience.

–  –  –

FRAMEWORK FOR ROLE-BASED DELEGATION MODELS

Ezedin S. Barka, Ph.D.

George Mason University, 2002 Dissertation Director: Dr. Ravi S. Sandhu The basic idea behind delegation is that some active entity in a system delegates authority to another active entity in order to carry out some functions on behalf of the former.

Delegation can take many forms: human to human, human to machine, machine to machine, and perhaps even machine to human. In this dissertation, I focus on the human to human form of delegation. Specifically, I consider the ability of a user who is a member of a role to delegate his or her role to another user who belongs to some other role. For example, a professor in a university who is also a member in an advising committee role can delegate his/her membership in the advising committee role to another professor who belongs to another committee role. This delegation can take the form of being either permanent or temporary delegation. Moreover, the same professor can delegate only part of his/her professor role (i.e. instructor) to his/her assistant. This delegation can be only temporary.

In this dissertation, I present a comprehensive approach to role-based delegation. More specifically, I identify the characteristics related to delegation, which can be used to develop delegation models; I use a systematic approach to reduce a large number of possible cases to smaller sensible ones; and I formally define and derive some delegation models using roles based on those cases.

The thesis of this research is as follows:

It is possible, by adding a can-delegate relation to the RBAC model in conjunction with constraints, to produce a framework for role-based delegation models. The research approach used to produce a framework for role-based delegation models is an exploratory approach.

In this dissertation, the scope of my work is to address user-to-user delegation based on RBAC96. I use the RBAC96 family of models as the base for my research. I first consider temporary delegation within the framework of RBAC96-Flat-Roles (or RBAC0). Then I evolve the model to address other variations of delegation that include delegation based on role hierarchies, permanent delegation, partial delegation, delegation based on the administrator of the actual delegation, and so forth. I also address some issues that deal with revocation. In particular, I consider cascading revocation and grantindependent revocation. I chose this approach in order to work out a simple but useful model in complete detail and then to extend this model gradually to introduce other aspects to add functionality in an incremental manner.

This dissertation shows that by adding a can-delegate relation to the RBAC model in conjunction with constraints, it is possible to produce a framework for role-based

–  –  –





INTRODUCTION AND PROBLEM STATEMENT

1.1. Introduction Role-based access control (RBAC) has received considerable attention as an established alternative to traditional discretionary and mandatory access control [FCK95, SCFY96, San97]. A role is a semantic construct forming the basis for access control policy. In RBAC, permissions are associated with roles, and users are made members of appropriate roles based on their responsibilities and qualifications, thereby acquiring the permissions of these roles. In RBAC, users can be easily reassigned from one role to another, roles can be granted new permissions for new applications as systems come online, and permissions can be revoked with regard to roles as needed. This greatly simplifies security management.

The basic idea behind delegation is that some active entity in a system delegates authority to another active entity to carry out some functions on behalf of the former. Delegation in computers can be human-to-human, human-to-machine, machine-to-machine, and perhaps even machine-to-human. Most delegation models in the literature address human-to-machine and machine-to-machine delegation [Glad97], [ABLP96], [GM90], [VAS91]. Models for propagation of access rights also relate to delegation indirectly (e.g. HRU, TAM, ATAM, SPM, and the Take Grant model) [HRU76], [San97], [Lamp71].

In this dissertation my focus is on human-to-human delegation. Specifically, I consider the ability of a user who belongs to a certain role to delegate a role to another user who belongs to another role. For example, a professor in a university who is also a member in an advising committee role can delegate his/her membership in the advising committee role to another professor who belongs to another committee role. This delegation can take the form of being either permanent or temporary delegation. Moreover, the same professor can delegate only part of his/her professor role (i.e. instructor) to his/her assistant. This delegation can be only temporary. The type of delegation discussed above has not received much attention in the literature so far.

This dissertation takes an exploratory approach towards analyzing the problem of delegation and producing a framework for role-based delegation models. I begin by identifying a number of characteristics related to delegation between humans, then I use these characteristics to create an exhaustive combination of possible delegation cases, and lastly, I develop a framework for building good cases that can be used for developing potential role-based delegation models. This is the first systematic attempt toward addressing the problem of delegation between humans using roles. I emphasize that the delegation itself occurs within the computer system even though it is human to human.

This work involves the investigation and formalization of role-based delegation models using nine different delegation characteristics. These nine characteristics give us a large number of possible combinations. I systematically reduce this large number of possibilities to a few practically useful cases. These cases are used for formalizing the aspects of delegation based on the Role-Based Access Control Model (RBAC) [San96].

To appreciate the motivation behind role-based delegation, consider the roles in Figure

1.1 from a hypothetical computer science department in a university. An intuitive physical scenario to illustrate delegation would be to have a professor give the key for his office to a secretary to do some filing, or allow his teaching assistant to administer an exam or grade homework. Another scenario would be to have a guest speaker from outside of the school faculty substitute for the original assigned professor. All of these activities are considered delegation simply because in each case an original member of a role is delegating his/her role membership to someone else to perform some task on his or her behalf. This can benefit the overall interests of the organization by letting the work continue even in the absence of the original member of that role. These types of activities have to be monitored and controlled in such a manner so that the resources inside the organization can stay protected. For example, in Figure 1.1 a professor could be permitted to delegate the professor role to a secretary or a teaching assistant but not to a student. Also, for example, a teaching assistant who is given the key to a professor’s office is not allowed to further give the key to someone else (this is called one step delegation).

–  –  –

1.2 Brief Overview of Role-Based Access Control Model (RBAC96) The RBAC96 model, which was developed by Sandhu, et al. [San96], is based on three sets of entities called Users (U), Roles (R), and Permissions (P) (see Figure 1.2).

A user (U) is a human being or an autonomous agent. A role (R) is a job title or a job function in the organization with associated semantics concerning responsibility and authority. A permission (P) is a description of the type of authorized interactions a subject can have with one or more objects.

Access control policy is embodied in RABC components such as user-role, rolepermission, and role-role relationships. These RBAC components determine whether a particular user is allowed access to a specific piece of system data. A user can be assigned many roles, and a role can be assigned to many users. The many-to-many assignment relation User -Assignment (UA) captures this property. A role can be assigned many permissions, and permission can be assigned to many roles. The many-tomany assignment relation Permission -Assignment (PA) captures this property.

–  –  –

The formal definition for RBAC96 is as follows:

Definition 1.1: The RBAC96 model has the following components:

1. U, R, P, which are, respectively, the sets of users, roles, and permissions.

2. UA ⊆ U x R, which is a many-to-many User-Assignment relation assigning a

–  –  –

4. RH ⊆ P x R is a partial order on R called role hierarchy.

I have omitted the session concept from RBAC96 for simplicity, since it is not directly relevant to the work in this dissertation.

1.3 Problem Statement In the information security arena, one of the most interesting and promising techniques proposed is Role-Based Access Control. In the last few years, much work has been done in the definition and implementation of RBAC. However, so far the concept of delegation in RBAC has not been studied. Delegation in computer systems can be human to human, human to machine, machine to machine, and perhaps even machine to human.

These types of delegations have received some attention in the literature; however, the concept of human to human delegation has not been systematically analyzed. This thesis focuses on human to human delegation in computer systems. Specifically, I develop a series of simple but practically useful models for delegation, in which a user can use RBAC philosophy to delegate his or her role to another user who belongs to another role.

This research is the first attempt to address this type of delegation.

Performing human to human delegation within the framework of RBAC will contribute to the evolution of RBAC, adding to the already positive reputation of RBAC, and will give us a simple and effective way to address the concept of delegation between humans.

The scope of my work, then, is to address user-to-user delegation based on RBAC. I will use the RBAC96 family of models as the base for my research [SCFY96]. I will first consider temporary delegation within the framework of RBAC96-Flat-Roles (or RBAC0). Then I will evolve the model to address other variations of delegation that include delegation based on role hierarchies, permanent delegation, partial delegation, delegation based on the administrator of the actual delegation, and so forth. I will also address some issues that deal with revocation. In particular, I will consider cascading revocation and grant-dependent revocation. I chose this approach in order to work out a simple but useful model in complete detail and then gradually to introduce other aspects to add functionality in an incremental manner.

–  –  –

The thesis of this research is as follows:

It is possible, by adding a can-delegate relation to the RBAC in conjunction with constraints to produce a framework for role-based delegation models.

The research approach used to produce framework for role-based delegation models is an exploratory approach.

1.5 Summary of Contributions (1) My first contribution in this dissertation is that I have provided a framework for role-based delegation models. This was accomplished by identifying the characteristics related to delegation, using these characteristics to generate possible delegation cases, and using a systematic approach to reduce the large number of cases into a few cases, which can be used to build role-based

–  –  –



Pages:   || 2 | 3 | 4 | 5 |   ...   | 9 |


Similar works:

«Is Morality an Elegant Machine or a Kludge?1 STEPHEN STICH In a passage in A Theory of Justice, which has become increasingly influential in recent years, John Rawls (1971) noted an analogy between moral philosophy and grammar. Moral philosophy, or at least the first stage of moral philosophy, Rawls maintained, can be thought of as the attempt to describe our moral capacity – the capacity which underlies “the potentially infinite number and variety of [moral] judgments we are prepared to...»

«Alkemie Revue semestrielle de littérature et philosophie Numéro 7 / Juin 2011 La Solitude Directeurs de publication Mihaela-Genţiana STĂNIŞOR (Roumanie) Răzvan ENACHE (Roumanie) Comité honorifique Sorin ALEXANDRESCU (Roumanie) Marc de LAUNAY (France) Jacques LE RIDER (France) Irina MAVRODIN (Roumanie) Sorin VIERU (Roumanie) Conseil scientifique Paulo BORGES (Portugal) Magda CÂRNECI (Roumanie) Ion DUR (Roumanie) Ger GROOT (Belgique) Arnold HEUMAKERS (Pays Bas) Carlos EDUARDO MALDONADO...»

«Debbie MacCullough A Study of Experts' Understanding of Arithmetic Mean The Pennsylvania State University The Graduate School Department of Curriculum and Instruction A STUDY OF EXPERTS' UNDERSTANDING OF ARITHMETIC MEAN A Thesis in Curriculum and Instruction by Deborah L MacCullough © 2007 Deborah L MacCullough Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy May 2007 The thesis of Deborah L MacCullough was reviewed and approved* by the following:...»

«Leo Strauss and Islam by Daniel Townsend BA, B.Litt (Hons.) Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy Deakin University June, 2014 I am the author of the thesis entitled “Leo Strauss and Islam” submitted for the degree of Doctor of Philosophy This thesis may be made available for consultation, loan and limited copying in accordance with the Copyright Act 1968. 'I certify that I am the student named below and that the information provided in the form...»

«LOOP OPTIMIZATION TECHNIQUES ON MULTI-ISSUE ARCHITECTURES by Dan Richard Kaiser A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy (Computer and Communication Sciences) in The University of Michigan Doctoral Committee: Professor Trevor N. Mudge, Chair Associate Professor Richard B. Brown Professor Edward S. Davidson Professor Ronald J. Lomax Associate Professor Karem A. Sakallah © Dan Richard Kaiser 1994 All Rights Reserved Dedicated to...»

«THE GROWTH OF WHITEHEAD'S THEISM Lewis S. Ford Preface Ordinarily we can only know what philosophers have produced without having much insight into how they arrived at their conclusions. If we can chart some progression, it is only with respect to the differences between successive dialogues or books. We rarely have the opportunity to observe the creative activity that goes into the construction of a complex system of thought that a book represents. The book as a whole is all we have. In the...»

«3 $74 6 FULL-SCALE LEACHATE-RECIRCULATING MSW LANDFILL BlOREACTOR ASSESSMENTS David A. Carson US. Environmental Protection Agency Risk Reduction Engineering Laboratory (ML-CHL) 26 W. Martin Luther King Drive Cincinnati, Ohio 45268-3001 USA INTRODUCTION The integrated waste management hierarchy philosophy continues to develop as a useful tool to solve solid waste issues in an environmentally respot isible manner. Recent statistics indicate that approximately two thirds of municipal solid waste...»

«CHIRAL BISAMIDINE CATALYSIS: ENANTIOSELECTIVE ALKYLATIONS AND HALOLACTONIZATIONS WITH APPLICATIONS TO SMALL MOLECULE THERAPEUTICS By Mark Christopher Dobish Dissertation Submitted to the Faculty of the Graduate School of Vanderbilt University in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY in CHEMISTRY May 2013 Nashville, Tennessee Approved: Professor Jeffrey N. Johnston (Chair) Professor Timothy P. Hanusa Professor Ned A. Porter Professor Michael R. Waterman...»

«ABSTRACT MEN WRITING WOMEN: “THE WOMAN Title of Dissertation: QUESTION” AND MALE DISCOURSE OF IRANIAN MODERNITY Sahar Allamezade, Doctor of Philosophy, 2016 Dissertation directed by: Professor Ahmad Karimi-Hakkak School of Languages, Literatures, and Cultures In this dissertation I explore “The Woman Question” in the discourse of Iranian male authors. A pro-modernity group, they placed women’s issues at the heart of their discourse. This dissertation follows the trajectory of the...»

«Chapter 2 Estrangement: A Beginner’s Guide to the Strangeness of the World Jonathan M. Smith Abstract Geographers adopted the concept of Being-in-the-World from Martin Heidegger. However, most have wisely eschewed the philosopher’s larger ontological and pantheistic project. Nevertheless, geographers can make use of basic phenomenological concepts and terms. The world of appearances can be reduced to the three basic phenomena of objects, subjects, and death, and each of these phenomena...»

«RECYCLED BRICK MASONRY AGGREGATE CONCRETE: USE OF RECYCLED AGGREGATES FROM DEMOLISHED BRICK MASONRY CONSTRUCTION IN STRUCTURAL AND PAVEMENT GRADE PORTLAND CEMENT CONCRETE by Tara Lani Cavalline A dissertation submitted to the faculty of The University of North Carolina at Charlotte in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Infrastructure and Environmental Systems Charlotte Approved by: _ Dr. David C. Weggel _ Dr. Helene A. Hilger _ Dr. Vincent O....»

«Entomotoxicological and Thermal Factors Affecting the Development of Forensically Important Flies Derek Reed Monthei Dissertation submitted to the Faculty of Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy In Entomology Dr. Richard D. Fell, Chairperson Dr. Carlyle C. Brewster Dr. Sally Paulson Dr. Kevin Pelzer Dr. George S. Behonick Dr. Michelle R. Peace February 6th, 2009 Blacksburg, Virginia Tech Keywords:...»





 
<<  HOME   |    CONTACTS
2016 www.dissertation.xlibx.info - Dissertations, online materials

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.